Protecting the Power Grid: Utilizing the CARVER Target Analysis and Vulnerability Assessment Methodology to Comply with NERC CIP-014 Regulations

By Leo Labaj and Bruce Barnes

As a nation, the United States has become addicted to the steady and dependable delivery of electrical power.  Without electricity the world, as we know it, would cease to function (imagine no lights, television, cell phones, computers etc.).   The US Power Grid is enormously complex and consists of over 11,000 generation facilities, in excess of 200,000 miles of high voltage transmission lines, and thousands of substations.  As such, the energy sector is considered the most critical of critical infrastructure and is arguably the backbone of our modern society, due to critical dependencies and interdependencies with other utility sectors.  

With today’s heightened risk of terrorist attacks, threats to the energy sector have been increasing, and it is only a matter of time before a major attack is conducted directly against an electric utility or indirectly against the community it serves.  For those malicious individuals or groups who seek to inflict harm against the United States, striking the electrical grid would cause significant physical, economic, and psychological damage. The loss of electric power resulting from a successful attack, could quickly cascade to other lifeline infrastructure sectors, potentially degrading essential services necessary for public health and safety.  

Since the vast majority of the power grid is owned and operated by the private sector, the North American Electric Reliability Corporation (NERC), appointed by the Department of Energy to promote the reliability and security of the power grid, has created a new reliability standard for Critical Infrastructure Protection (CIP) to ensure the grid remains robust and resilient.  

Per recent NERC guidelines, the regulation known as Critical Infrastructure Protection 014 (CIP-014) has been established to ensure that individual power operators comply with a standard level of security protection.  The CIP-014 regulation states:

To identify and protect Transmission stations and Transmission substations, and their associated primary control centers, that if rendered inoperable or damaged as a result of a physical attack could result in a widespread instability, uncontrolled separation, or Cascading within an interconnection.

The CIP-014 standard standard is non-prescriptive, in that it does not mandate specific security measures.  However, the intent of the standard is clear in expecting electric utilities to “step up their game” when it comes to protecting the power grid.  Utilities have a strong incentive to comply with this standard, since NERC has the ability to levy fines for non-compliance in the amount of up to one million dollars per day! 

NERC CIP-014 Requirements

CIP-014 consists of six primary requirements that transmission owners and operators must follow to enhance the physical security of identified transmission substations and primary control centers.   It starts with conducting an initial risk assessment to identify critical assets, conducting vulnerability assessments of potential threats, and developing associated security plans to mitigate those risks identified.  Finally, the utility must seek out an independent third party to review and validate their plans (See www.nerc.com for specific requirements).   

Utilities have a choice to conduct the assessments utilizing in-house security professionals, or to outsource the entire process to an independent third party.  Regardless of who performs the work, the process used to conduct the threat and vulnerability assessment and physical security plan (Requirements R4 & R5) must be well-documented and defined, so that it can withstand potential scrutiny from a variety of sources such as concerned customers, local governments, public utility commissions, as well as the media.   

Additionally, due to the inability to protect their vast network of components from attack, as well as limited financial resources, utilities may be unable to deploy all of the physical security countermeasure they might like to have in order to protect their assets.   This reality requires utilities to have a firm understanding of their critical facilities, key components, and vital control systems in order to appropriately prioritize and protect these assets.  

Employing the CARVER Target Analysis and Vulnerability Assessment Methodology

To best meet CIP-014 requirements, Security Management International (SMI), a leading intelligence advisory firm located in the Washington DC area, has employed the CARVER Target Analysis and Vulnerability Assessment Methodology – an assessment tool made famous by the Central Intelligence Agency (CIA) during the 1970s - at a multitude of high-risk facilities.  CARVER is an acronym for the following vulnerability assessment criteria: Criticality, Accessibility, Recognizability, Vulnerability, Effect, and Recoverability. SMI’s security subject matter experts (who are primarily comprised of former intelligence officers and military special operations personnel) found that the CARVER Methodology was an extremely well-suited tool, which could be used to both evaluate the potential vulnerabilities of Critical Infrastructure and  to prioritize critical assets based upon their probability of being attacked (i.e., target attractiveness).  

The CARVER Methodology was originally developed as an offensive target assessment tool, allowing to evaluate the vulnerabilities of enemy assets, and to determine how best to exploit those vulnerabilities to attack a target.  The methodology had its early roots in World War II, where bomber pilots used its precursor, known back then simply as “CARVE,” to identify attractive targets to bomb. Fast forward over fifty years and CARVER was still being used by the Department of Homeland Security as part of its Automated Critical Asset Management System (ACAMS).   ACAMS provided a set of tools and resources that helped law enforcement, public safety and emergency response personnel assess Critical Infrastructure/Key Resource (CI/KR) asset vulnerabilities. ACAMS was decommissioned in June, 2014; however, all of its files have been migrated to another program, the Infrastructure Protection Gateway (IP Gateway).

The CARVER assessment encompasses the following basic principles: 

• Examination of all security programs from the terrorist or adversary’s viewpoint, (i.e., how would I, if I were the adversary, attack this asset and what would I target?)
• Determination of what countermeasures would be required to prevent the terrorist or adversary from achieving success and thus, launching and completing the operation
• Assumption that conspicuous security procedures and equipment will not stop a determined terrorist or other adversary

Because the CARVER Methodology addresses both the physical security of a facility and the operational capabilities of terrorists or other adversary, it acts as a target selection tool that uses a quantitative ranking methodology to identify those targets most attractive to attack by an adversary.   The relative risk for each threat and target combination is determined using algorithms to analyze potential consequences, relative importance of targets to the aggressor, and security vulnerability levels. Countermeasures are then recommended to minimize the risk and; subsequently, the same methodology can be re-applied to determine if the risk reduction is achieved.  This iterative process is continued until the most cost-effective method of reducing the risk to an acceptable level is identified.  

The CARVER Target and Vulnerability Assessment process used by SMI has proven to be an effective tool for conducting a multitude of vulnerability assessments for water treatment plants, chemical manufacture and packaging facilities, transportation facilities, military bases, sports arenas, as well as electric substations and primary control centers.  

With the new requirements of NERC CIP-014, the CARVER Methodology not only has the additional benefit of helping electric utilities comply with standards, but it also documents both the quantitative and qualitative process used to review all of the critical assets identified on site.   Furthermore, it provides a clear quantifiable (and repeatable) process that can effectively be used to document and defend the decisions made to identify and protect critical assets.

The importance - and subsequent challenges - of protecting the electric power grid in the United States are well known.  As such, NERC has performed an exceptional job in response to these threats by implementing the CIP-014 requirements. However, with only limited resources often available,  utilities must now find a way to protect their most critical assets and focus resources on their primary objective… that of keeping the lights on!